From e87c42cb75f5dab730dc63ee0b8ff78d011734ac41dccd40f5c993bf96781e76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Rostecki?= <mrostecki@suse.com>
Date: Mon, 9 Nov 2020 17:48:32 +0000
Subject: [PATCH] Accepting request 847325 from
 home:mrostecki:branches:security:netfilter

- Remove the patch which enforces usage of iptables instead of
  nftables:
  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
  workaround for lack of nftables support in docker. Without that
  additional zone, containers have no Internet connectivity.
  (rhbz#1817022)
- Update to 0.9.1:
  * Bugfixes:
    * docs(firewall-cmd): clarify lockdown whitelist command paths
    * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
    * fix(policy): zone interface/source changes should affect all using zone

OBS-URL: https://build.opensuse.org/request/show/847325
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=107
---
 ...d-Switch-default-backend-to-iptables.patch | 45 -------------------
 docker-zone.xml                               |  6 +++
 firewalld-0.9.0.tar.gz                        |  3 --
 firewalld-0.9.1.tar.gz                        |  3 ++
 firewalld.changes                             | 16 +++++++
 firewalld.spec                                | 10 +++--
 6 files changed, 32 insertions(+), 51 deletions(-)
 delete mode 100644 0001-firewall-backend-Switch-default-backend-to-iptables.patch
 create mode 100644 docker-zone.xml
 delete mode 100644 firewalld-0.9.0.tar.gz
 create mode 100644 firewalld-0.9.1.tar.gz

diff --git a/0001-firewall-backend-Switch-default-backend-to-iptables.patch b/0001-firewall-backend-Switch-default-backend-to-iptables.patch
deleted file mode 100644
index 3179681..0000000
--- a/0001-firewall-backend-Switch-default-backend-to-iptables.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Index: firewalld-0.8.3/config/firewalld.conf
-===================================================================
---- firewalld-0.8.3.orig/config/firewalld.conf
-+++ firewalld-0.8.3/config/firewalld.conf
-@@ -43,9 +43,9 @@ LogDenied=off
- # FirewallBackend
- # Selects the firewall backend implementation.
- # Choices are:
--#	- nftables (default)
--#	- iptables (iptables, ip6tables, ebtables and ipset)
--FirewallBackend=nftables
-+#	- nftables
-+#	- iptables (iptables, ip6tables, ebtables and ipset) (default)
-+FirewallBackend=iptables
- 
- # FlushAllOnReload
- # Flush all runtime rules on a reload. In previous releases some runtime
-Index: firewalld-0.8.3/doc/xml/firewalld.conf.xml
-===================================================================
---- firewalld-0.8.3.orig/doc/xml/firewalld.conf.xml
-+++ firewalld-0.8.3/doc/xml/firewalld.conf.xml
-@@ -149,8 +149,8 @@
-             <listitem>
-                 <para>
-                 Selects the firewall backend implementation. Possible values
--                are; <replaceable>nftables</replaceable> (default), or
--                <replaceable>iptables</replaceable>. This applies to all
-+                are; <replaceable>nftables</replaceable>, or
-+                <replaceable>iptables</replaceable> (default). This applies to all
-                 firewalld primitives. The only exception is direct and
-                 passthrough rules which always use the traditional iptables,
-                 ip6tables, and ebtables backends.
-Index: firewalld-0.8.3/src/firewall/config/__init__.py.in
-===================================================================
---- firewalld-0.8.3.orig/src/firewall/config/__init__.py.in
-+++ firewalld-0.8.3/src/firewall/config/__init__.py.in
-@@ -127,7 +127,7 @@ FALLBACK_IPV6_RPFILTER = True
- FALLBACK_INDIVIDUAL_CALLS = False
- FALLBACK_LOG_DENIED = "off"
- FALLBACK_AUTOMATIC_HELPERS = "no"
--FALLBACK_FIREWALL_BACKEND = "nftables"
-+FALLBACK_FIREWALL_BACKEND = "iptables"
- FALLBACK_FLUSH_ALL_ON_RELOAD = True
- FALLBACK_RFC3964_IPV4 = True
- FALLBACK_ALLOW_ZONE_DRIFTING = False
diff --git a/docker-zone.xml b/docker-zone.xml
new file mode 100644
index 0000000..a469812
--- /dev/null
+++ b/docker-zone.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>docker</short>
+  <description>All network connections are accepted.</description>
+  <interface name="docker0"/>
+</zone>
diff --git a/firewalld-0.9.0.tar.gz b/firewalld-0.9.0.tar.gz
deleted file mode 100644
index fcd864d..0000000
--- a/firewalld-0.9.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7cfbf8a33f726151e60c07486af0921fa05cbbab097adf90ec1caef37b49d9a0
-size 2007954
diff --git a/firewalld-0.9.1.tar.gz b/firewalld-0.9.1.tar.gz
new file mode 100644
index 0000000..f7098b9
--- /dev/null
+++ b/firewalld-0.9.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e3db6ed84919dd10add39cc7a28d97b5a9e27a53aeb73abf8af01ef082b74f9
+size 2007880
diff --git a/firewalld.changes b/firewalld.changes
index 60a97ba..0f3c14a 100644
--- a/firewalld.changes
+++ b/firewalld.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Nov  9 09:15:55 UTC 2020 - Michał Rostecki <mrostecki@suse.com>
+
+- Remove the patch which enforces usage of iptables instead of
+  nftables:
+  * 0001-firewall-backend-Switch-default-backend-to-iptables.patch
+- Add firewalld zone for the docker0 interface. This is the
+  workaround for lack of nftables support in docker. Without that
+  additional zone, containers have no Internet connectivity.
+  (rhbz#1817022)
+- Update to 0.9.1:
+  * Bugfixes:
+    * docs(firewall-cmd): clarify lockdown whitelist command paths
+    * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
+    * fix(policy): zone interface/source changes should affect all using zone
+
 -------------------------------------------------------------------
 Fri Sep 11 18:05:42 UTC 2020 - Franck Bui <fbui@suse.com>
 
diff --git a/firewalld.spec b/firewalld.spec
index 11d62c1..79bd16d 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -21,14 +21,14 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           firewalld
-Version:        0.9.0
+Version:        0.9.1
 Release:        0
 Summary:        A firewall daemon with D-Bus interface providing a dynamic firewall
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.firewalld.org
-Source:         https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
-Patch0:         0001-firewall-backend-Switch-default-backend-to-iptables.patch
+Source0:        https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
+Source1:        docker-zone.xml
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -151,6 +151,10 @@ rm %{buildroot}%{_sysconfdir}/sysconfig/firewalld
 
 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcfirewalld
 
+# add firewalld zone (rhbz#1817022)
+install -dp %{buildroot}%{_prefix}/lib/firewalld/zones
+install -p -m 644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/zones/docker.xml
+
 %fdupes %{buildroot}%{python3_sitelib}
 
 %find_lang %{name} --all-name